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Abstract 

Anonymous Hierarchical Identity-Based Encryption (HIBE) is an extension of Identity-Based En¬ 
cryption (IBE), and it provides not only a message hiding property but also an identity hiding property. 
Anonymous HIBE schemes can be applicable to anonymous communication systems and public key 
encryption systems with keyword searching. However, previous anonymous HIBE schemes have some 
disadvantages that the security was proven in the weaker model, the size of ciphertexts is not short, or 
the construction was based on composite order bilinear groups. In this paper, we propose the first effi¬ 
cient anonymous HIBE scheme with short ciphertexts in prime order (asymmetric) bilinear groups, and 
prove its security in the full model with an efficient reduction. To achieve this, we use the dual system 
encryption methodology of Waters. We also present the benchmark results of our scheme by measuring 
the performance of our implementation. 

Keywords: Identity-based encryption. Hierarchical identity-based encryption, Anonymity, Full model se¬ 
curity, Bilinear maps. 


*This work was partly supported by the MSIP (Ministry of Science, ICT & Future Planning), Korea, under the C-ITRC (Conver¬ 
gence Information Technology Research Center) support program (NIPA-2013-H030T13-3007) supervised by the NIPA (National 
IT Industry Promotion Agency) and the IT R&D program of MOTIE/KEIT [KI002113, Development of Security Technology for 
Car-Healthcare], 

1 Korea University, Korea and Columbia University, USA. Email: guspin@korea . ac. kr. 

^ Korea University, Korea and Sangmyung University, Korea. Email: decartian@korea . ac. kr. 

§ Korea University, Korea. Email: donghleeSkorea. ac . kr. 


1 



1 Introduction 


Hierarchical Identity-Based Encryption (HIBE) is an extension of Identity-Based Encryption (IBE) that 
uses an identity as a public key. In HIBE, a user’s identity is represented as a hierarchical tree structure 
and an upper level user can delegate the private key generation capability to a lower level user. Horwitz 
and Lynn introduced the concept of HIBE to reduce the burden of the private-key generator of IBE ff27ft . 
After the introduction of HIBE, it was shown that HIBE can have various applications like identity-based 
signature l25l . public-key broadcast encryption |[20l . forward-secure public key encryption lfl4l . and chosen- 
ciphertext secure HIBE lfl5ll . 

Recently, as a result of the increasing concern with users’ privacy, the need for cryptographic systems 
that protect users' privacy also increases. Anonymous HIBE can provide users’ privacy by supporting not 
only the message hiding property but also the identity hiding property that hides identity information in 
ciphertexts. Abdalla et al. formalized the concept of anonymous HIBE |[Tj] . After that, Boyen and Waters 
proposed the first secure anonymous HIBE scheme without random oracles lfl3l . The main applications 
of anonymous HIBE are anonymous communication systems that provide anonymity between a received 
message and a true sender and public key encryption systems with keyword searching that enable keyword 
searches on encrypted data HI. 

The security model of anonymous HIBE is defined as a game between a challenger and an adversary. 
In this game, the adversary adaptively requests private keys in the private key query step and selects two 
hierarchical identities IDq,ID\ and two messages Mq,M\ in the challenge step. Next, the adversary is given 
a challenge ciphertext of lD y ,M y where y is a random bit chosen by the challenger. The adversary wins the 
game if he can correctly guess y. The security model is divided as a selective model where the adversary 
should commit the target hierarchical identities in the initial step and a full model where the adversary can 
select the target hierarchical identities in the challenge step. Generally a selectively secure HIBE scheme is 
converted to a fully secure HIBE scheme, but the reduction is inefficient |[5j|. The efficiency of the reduction 
is important not only for theoretical reasons but also for practical reasons. 

Let Advyi be the advantage of an adversary A that breaks a scheme and Advg be the advantage of an 
algorithm B that breaks an assumption using the adversary A. Suppose that Adv y 4 < L-Advg where L 
is a reduction loss. Let A,k be the security level of the scheme and the assumption, respectively. If the 
assumption provides the k-bit security, then it guarantees that Advg < I /2 k for any PPT algorithm B. Then 
we can derive Advyr <L-l/2 k from two inequalities Adv^ < L Advg and Advg < 1 /2 k . To construct the 
scheme that provides the A-bit security, it should be guaranteed that Adv^ < I /2 L for any PPT adversary 
A. It is easy to achieve this by setting L ■ 1 /2 k < 1 j2A since Adv^ < L • 1 /2 k . Thus we can derive a relation 
k > A +log 2 (L). This relation says that the bit size k of a group order for the assumption should be larger 
than A+log-,(L) to construct the scheme with the A-bit security. For example, if there is a selectively secure 
scheme with a hierarchical depth l = 10, then we should select k = 880 since A = 80 and L = 2 ?J . Therefore, 
an ideal anonymous HIBE scheme should be fully secure with a reduction loss less than c ■ q for a polynomial 
value q and a constant c. 

To construct a fully secure HIBE scheme with an efficient reduction, the new proof methodology named 
the dual system encryption method was proposed by Waters l45l . In the dual system encryption method, 
ciphertexts and private keys can be a normal type or a semi-functional type, and the semi-functional types 
of ciphertexts and private keys arc only used in security proofs. Additionally, the normal type and the 
semi-functional type are indistinguishable, and the semi-functional ciphertexts are not decrypted by using 
the semi-functional private keys. The proof of the dual system encryption method consists of hybrid games 
that change a normal ciphertext and normal private keys to a semi-functional ciphertext and semi-functional 
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private keys. Using this methodology, Waters proposed a fully secure HIBE scheme with linear-size cipher- 
texts and a fully secure HIBE scheme with constant-size ciphertexts H3311451 . The dual system encryption 
method can be used to prove the security of fully secure attribute-based encryption (3lll . fully secure predi¬ 
cate encryption (37l . and leakage-resilient cryptography (32l . 

The first secure anonymous HIBE scheme was proposed by Boyen and Waters |fT3l, and it was proven 
to be selectively secure without random oracles. After the first construction of anonymous HIBE, several 
anonymous HIBE schemes were presented, but they were only proved to be secure in the selective model 
EMU]. Recently, De Caro et al. proposed a fully secure anonymous HIBE scheme with short ciphertexts 
by using the dual system encryption method lfl6l . However, their scheme is inefficient since the scheme is 
based on composite order groups where the group order is a product of four prime numbers. One may 
use the conversion method of Freeman lf22ll to construct a scheme in prime order groups from a scheme in 
composite order groups, but this method can not be applied to the dual system encryption method of Lewko 
and Waters ll33l since it does not provide the parameter hiding property in composite order groupfl Lewko 
recently devised another conversion method for the dual system encryption method and constructed a (non- 
anonymous) unbounded HIBE scheme with linear-size ciphertexts in prime order groups (30l . However, this 
method is not known to be applicable for the construction of an anonymous HIBE scheme with constant-size 
ciphertexts since it uses dual pairing vector spaces (DPVsjl 

Anonymous HIBE can also be constructed from Predicate Encryption (PE) with the delegation ca¬ 
pability. Shi and Waters constructed an anonymous HIBE scheme with linear-size ciphertexts from a 
delegatable Hidden Vector Encryption (dHVE) scheme |[42ll and Okamoto and Takashima constructed an 
anonymous HIBE scheme with linear-size ciphertexts from a Hierarchical Inner Product Encryption (HIPE) 
scheme H311l361l37ll39l . However, currently known anonymous HIBE schemes from PE schemes with the 
delegation capability only have linear-size ciphertexts. It is also possible to derive anonymous HIBE from 
anonymous Spatial Encryption (SE) lfTTl[T9l . However, there is no known anonymous SE scheme with 
constant-size ciphertexts. Thus the construction of efficient and fully secure anonymous HIBE with short 
ciphertexts is an unsolved problem. 

1.1 Our Contributions 

Motivated by the above challenge, we propose the first fully secure and anonymous HIBE scheme with short 
ciphertexts in prime order (asymmetric) bilinear groups. The comparison between previous HIBE schemes 
and ours is given in Table Q] To construct a fully secure and anonymous HIBE scheme, we use the IBE 
scheme in prime order (asymmetric) bilinear groups of Lewko and Waters (33]. Note that then - IBE scheme 

ion-anonymous) HIBE scheme with short ciphertexts since it does not support 



To construct an anonymous HIBE scheme, we should devise techniques for private key re-randomization 
and ciphertext anonymization. The private key re-randomization process is required in the delegation algo- 

1 Lewko and Waters used the parameter hiding property of composite order groups to prove the full security of their HIBE 
scheme using the dual system encryption technique (33). The parameter hiding property of composite order N = pqr is stated that 
an exponent Zjy has one-to-one correspondence with (Z p ,Z q ,Z r ) because of Chinese Remainder Theorem (CRT) and Z 9 and Z r 
values are information theoretically hidden to an adversary even if 7< p value is revealed to the adversary. 

2 The dimensions of DPVS is generally proportional to the size of an identity vector in the scheme that uses DPVS 1301136(391 . 
Thus an HIBE scheme based on DPVS that supports /-depth has linear-size of ciphertexts since it requires at least /-dimensions in 
DPVS. To reduce the dimensions of DPVS, one may try to use the technique of Okamoto and Takashima t38| , but it only applied 
to non-anonymous schemes since it should reveal the identity of ciphertexts. 

3 To support private key re-randomization using a public key, some elements g, u,h € G in a private key should be moved to a 
public key. However, these elements cannot be moved to the public key since the proof of dual system encryption goes wrong. 
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Table 1: Comparison between previous HIBE schemes and ours 


Scheme 

ANON 

R.L. 

Prime 

PP Size 

SK Size 

CT Size 

Assumption 

GS-HIBE (25) 

No 

Q.(q l ) 

Yes 

O(A) 

O(ZA) 

0(11) 

BDH (ROM) 

BB-HIBE J5] 

No 

Cl(2 u ) 

Yes 

O(ZA) 

O(ZA) 

0(11) 

DBDH 

BBG-HIBE 0 

No 

0(2 a ') 

Yes 

0(1 A) 

0(11) 

2k + kr 

y-Type 

CS-HIBE HI 

No 

a(q’) 

Yes 

0(11) 

0(11) 

0(11) 

DBDH 

Waters-HIBE g5] 

No 

£l(q 2 ) 

Yes 

0(1 A) 

0(11) 

0(11) 

DBDH, DLIN 

LW-HIBE (33) 

No 

£l(q) 

No 

0(11) 

0(11) 

2k + kr 

Static 

LW-HIBE 01 

No 

Q(q) 

No 

O(A) 

0(11) 

0(11) 

Static 

OT-HIPE (3l 

No 

Q.(q) 

Yes 

0(Z 4 A) 

0(Z 2 A) 

133 k + k T 

DLIN 

Lewko-HIBE OS 

No 

Q(q) 

Yes 

0(A) 

O(ZA) 

0(11) 

DLIN 

BW-HIBE Q3] 

Yes 

£l(2 u ) 

Yes 

0(l 2 A) 

0(Z 2 A) 

O(ZA) 

DBDH, DLIN 

SKOS-HIBE gT) 

Yes 

0(2 a; ) 

No 

0(1 A) 

O(ZA) 

3k + kj 

y-Type 

Ducas-HIBE EQ 

Yes 

0(2 a; ) 

Yes 

0(11) 

O(ZA) 

3k + kj 

y-Type 

LL-HIBE (29) 

Yes 

0(2 a; ) 

Yes 

0(/A) 

O(ZA) 

6k + kr 

y-Type 

DIP-HIBE (16) 

Yes 

Q.(q) 

No 

0(1 A) 

O(ZA) 

2k + kr 

Static 

LOSTW-HIPE 02 

Yes 

Q(lq) 

Yes 

0(/ 4 A) 

0(Z 3 A) 

0(Z 2 A) 

y-Type 

OT-HIPE 03 

Yes 

Cl(l 2 q) 

Yes 

0(/ 3 A) 

0(Z 4 A) 

0(Z 2 A) 

DLIN 

OT-HIPE 03 

Yes 

Q(lq) 

Yes 

0(l 2 A) 

0(Z 2 A) 

O(ZA) 

DLIN 

Ours 

Yes 

A(?) 

Yes 

O(ZA) 

O(ZA) 

6k + kr 

Static 


ANON = anonymity, R.L. = reduction loss. Prime = prime order bilinear groups 

A = security parameter, Z = hierarchical depth, q = polynomial value, k, kj = the bit size of group G and Gy- 


rithm of HIBE and anonymous HIBE. In HIBE, private keys are simply re-randomized using the public 
elements of public parameters. However, private keys of anonymous HIBE cannot be simply re-randomized 
using the public elements because an attacker can break anonymity using the public elements. To solve this 
problem, we may use the private re-randomization technique of Boyen and Waters llT3l that re-randomizes 
private keys using the private elements of private keys. Nevertheless, if the private re-randomization tech¬ 
nique is used in the dual system encryption method, then additional random values in senri-functional pri¬ 
vate keys are not completely randomized in the proof that distinguishes a normal private key from a semi¬ 
functional private key. 

To resolve this difficulty, we define two types of semi-functional private keys as semi-functional type-1 
and senri-functional type-2, and we show that it is hard to distinguish these two types of senri-functional 
private keys. The main idea to provide ciphertext anonymity is that the Decisional Diffre-Hellman (DDH) 
assumption still holds in asymmetric bilinear groups of prime order. We prove the anonymity property of our 
scheme by introducing a new assumption since the simple DDH assumption is not enough for the security 
proof. Furthermore, we implemented our anonymous HIBE scheme using the PBC library to support our 
claim of efficiency and we measured the performance of our scheme. 
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1.2 Related Work 


IBE was introduced to solve the certificate management problem in public key encryption systems, but it 
additionally requires a Private-Key Generator (PKG) li9jQT)J. HIBE was invented to reduce the burden of 
the IBE’s PKG by re-arranging an identity as a hierarchical tree structure and by allowing the delegation of 
private key generation from upper level users to lower level users lf27l . Gentry and Silverberg proposed the 
first HIBE scheme in the random oracle model ll25l . Canetti et al. constructed the first HIBE scheme without 
random oracles and introduced a selective model to prove the security of their scheme lfl4ll . The selective 
model was widely used in the security proof of IBE and HIBE even though it is weaker than the full model. 
For instance, Boneh and Boyen proposed an efficient HIBE scheme with linear-size ciphertexts J5HH, and 
Boneh et al. proposed an HIBE scheme with constant-size ciphertexts 0. 

To construct a fully secure HIBE scheme, Boneh and Boyen showed that a selectively secure HIBE 
scheme is naturally converted to a fully secure HIBE scheme with exponential loss of a reduction efficiency 
lf5l . However, this approach has a serious problem - that is, the efficiency of the reduction is I /Q.(2 XI ) 
where A is a security parameter and / is the maximum hierarchical depth. To remedy this situation, Waters 
proposed an HIBE scheme by extending his fully secure IBE scheme with an efficient reduction to a HIBE 
scheme ll44l . and Chatterjee and Sarkar improved the efficiency of Waters’ scheme l ITSll . However, these 
schemes also have the problem of an inefficient reduction \/Cl(q l ) in the hierarchical setting where q is a 
polynomial value. Gently and Halevi proposed another fully secure HIBE scheme with an efficient reduction 
by using complex assumptions lf24ll . Recently, Waters introduced the dual system encryption method that 
can be used to construct a fully secure HIBE scheme with an efficient reduction under simple assumptions 

ena. 

Anonymous IBE is related to public key encryption with keyword search (PEKS) ®[23]], and the con¬ 
cept of anonymous HIBE was introduced by Abdalla et al. |[Q by extending the concept of anonymous IBE. 
Boyen and Waters proposed the first anonymous HIBE scheme without random oracles and proved its se¬ 
curity in the selective model lH3l . For the construction of anonymous HIBE, they devised a linear splitting 
technique for ciphertext anonymity and a private re-randomization technique for private key randomization. 
Seo et al. proposed the first anonymous HIBE scheme with short ciphertexts in composite order bilinear 
groups li4TH . Ducas constructed anonymous HIBE schemes using asymmetric bilinear groups of prime or¬ 
der EH. Lee and Lee proposed an efficient anonymous HIBE scheme with short ciphertexts that is secure in 
all types of bilinear groups of prime order ||29l . De Caro et al. proposed the first fully secure and anonymous 
HIBE scheme with short ciphertexts using the dual system encryption method in composite order bilinear 
groups m. 

HIBE schemes also can be constructed from Attribute Based Encryption (ABE) schemes lf26l and 
Predicate Encryption (PE) schemes with delegation capabilities lf36l 14211. PE schemes with linear-size ci¬ 
phertexts that have the delegation capability include the dHVE scheme of Shi and Waters in composite 
order bilinear groups ll42l and HIPE schemes of Okamoto and Takashima based on dual pairing vector 
spaces i3TIl36l!37][39l . A non-anonymous HIPE scheme based on dual pairing vector spaces can have 
constant-size ciphertexts, but the ciphertext should contain a linear-size identity vector lf38l . Though bi¬ 
linear groups were widely used in the construction of HIBE, some HIBE schemes were designed in lat¬ 
tices EMU). 
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2 Preliminaries 


We define anonymous HIBE and give the formal definition of its full model security. Let X be an identity 
space and M. be a message space. A hierarchical identity ID of depth c is defined as an identity vector 
(7i,... ,I C ) € X c . A hierarchical identity ID = (X,... ,I C ) of depth c is a prefix of a hierarchical identity 
ID' = (/[,... ,I' d ) of depth d if c < d and for all i G {1,..., c}, I\ = I'. 

2.1 Anonymous HIBE 

An anonymous HIBE scheme consists of five algorithms (Setup, KeyGen, Delegate, Encrypt, Decrypt). 
Formally it is defined as: 

Setupf 1 ^, /). The setup algorithm takes as input a security parameter 1* and a maximum hierarchical depth 
/. It outputs a master key MK and public parameters PP. 

KeyGen {ID,MK,PP). The key generation algorithm takes as input a hierarchical identity ID of depth m 
where m < l, the master key MK, and the public parameters PP. It outputs a private key SKjp for ID. 

Delegat e{ID' ,SK IDl PP). The delegation algorithm takes as input a hierarchical identity ID' of depth m + 1 
where m +1 < /, a private key SKjp for a hierarchical identity ID of depth m, and the public parameters 
PP. If ID is a prefix of ID 1 , then it outputs a delegated private key SK/ D i for ID'. 

Encrypt {ID,M ,PP). The encryption algorithm takes as input a hierarchical identity ID of depth n where 
n < l, a message M <G M., and the public parameters PP. It outputs a ciphertext CT for ID and M. 

Decrypt (CT ,SKjp,PP). The decryption algorithm takes as input a ciphertext CT for a hierarchical identity 
ID', a private key SKjp for a hierarchical identity ID, and the public parameters PP. If ID = ID', then 
it outputs an encrypted message M. 

The correctness property of anonymous HIBE is defined as follows: For all MK. PP generated by Setup, 
all ID,ID' £ X", any SKjd generated by KeyGen, and any M, it is required that 

• If ID = ID', then DecryptfEncryptf/D'. /IX PP),SKi[j.PP) = M. 

• If ID / ID', then DecryptfEncryptf/D'. AT PP).SKi D . PP) =_L with all but negligible probability. 

The second condition of the correctness property is not a trivial one to satisfy since the decryption algorithm 
of anonymous HIBE cannot easily check whether ID = ID' or not because of anonymity. One possible re¬ 
laxation is to use a computational condition instead of a statistical condition. For a computational condition, 
we can use weak robustness of Abdalla et al. |[2j. 

The security property of anonymous HIBE under a chosen plaintext attack is defined in terms of the 
following experiment between a challenger C and a PPT adversary A: 

1. Setup: C runs Setup(l ,/) to generate a master key MK and public parameters PP. It keeps MK to 
itself and gives PP to A. 

2. Query 1: A may adaptively request a polynomial number of private keys for hierarchical identities 
ID\,.... ID qi of arbitrary depths. In response, C gives the corresponding private keys SKip t , .SW//; ; 
to A by running KeyGen(7X>,.Mk'. PP). 
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3. Challenge: A submits two hierarchical identities 1D* 0 ,1D\ E l n and two messages with equal 

length subject to the restriction: for all ID, of private key queries, ID, is not a prefix of ID* {) and 
1D\. C flips a random coin y E {0,1} and gives the challenge ciphertext CT* to A by running 
Encrypt (ID*,M*, PP). 

4. Query 2: A may continue to request a polynomial number of private keys for hierarchical identities 
ID qi+ i.ID q subject to the restriction as before. 

5. Guess: A outputs a guess / € {0,1} of y, and wins the game if / = y. 

The advantage of A is defined as Adv ' ( ////,7: (A j = | Pr[y = /] — 1 /2 where the probability is taken over all 
the randomness of the experiment. An anonymous HIBE scheme is fully secure under a chosen plaintext 
attack if for all PPT adversary A, the advantage of A in the above experiment is negligible in the security 
parameter A. 

The security experiment of anonymous HIBE can be relaxed to complete one introduced by Shi and 
Waters (421 that traces the path of delegation. Our definition of the security experiment that does not trace 
the path of delegation is stronger than the complete one of Shi and Waters. Thus if an anonymous HIBE 
scheme is secure in the security experiment of this section, then the scheme is also secure in the complete 
one. 


2.2 Asymmetric Bilinear Groups 

Let G,G and G 7 - be multiplicative cyclic groups of prime order p with the security parameter A. Let g,g be 
generators of G,G. The bilinear map e : G x G —> Gj has the following properties: 

1. Bilinearity: Vw E G,Vv E G and Va,£ E Z p , e(u a ,v b ) = e(u,v) ab - 

2. Non-degeneracy: 3g,g such that e(g,g) has order p, that is, e(g,g) is a generator of G 7 -. 

We say that G,G,Gr are bilinear groups with no efficiently computable isomorphisms if the group opera¬ 
tions in G,G, and Gj as well as the bilinear map e are all efficiently computable, but there are no efficiently 
computable isomorphisms between G and G. 


2.3 Complexity Assumptions 


We introduce five assumptions under asymmetric bilinear groups of prime order. Assumptions 1 and 2 
were introduced in Lewko and Waters (33], and Assumptions 3 and 4 are well-known. Assumption 5 
(Asymmetric 3-Party Diffie-Hellman) is an asymmetric version of the Composite 3-Party Diffie-Hellman 
assumption introduced by Boneh and Waters fl2l with a slight modification by augmenting one additional 
element, and it is secure in the generic group model. 

Assumption 1 (LW1) Let (p,G,G,Gr,e) be a description of the asymmetric bilinear group of prime order 
p with the security parameter A. Let g,g be generators of G,G respectively. The assumption is that if the 
challenge values 


D = ((p,G,G,G T ,e),g,g a ,g t >,g ab2 ,g b2 ,g b \g c ,g ac ,g bc , g r c ,g bJc ,g,g 1 ’) and T 


be n b 2 c n b 2 c 


are given, no PPT algorithm B can distinguish T = To = g ab ~ c from T = 7j = g d with more than a negligible 
advantage. The advantage of B is defined as AdVg 1 (A) = | Pr[£>(D, 7o) = 0] — Pr[£>(D, 7j) = 0] | where the 
probability is taken over the random choice of a,b,c,d E Z p . 
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Assumption 2 (LW2) Let (p,G,G.Gj .e) be a description of the asymmetric bilinear group of prime order 
p with the security parameter A. Let g,g be generators of 0,0 respectively. The assumption is that if the 
challenge values 


D = {(p,G,G,G T ,e),g,g a ,g a ~,g bx ,g abx ,g a ~ x ,g,g a ,g b ,g c ) and T 

arc given, no PPT algorithm B can distinguish T = To = g bc from T = 7) = g d with more than a negligible 
advantage. The advantage of B is defined as Adv| 2 (A) = Pv\B(D. Tq) = 0] — Pv\B(D. T\) = 0] | where the 
probability is taken over the random choice of a,b,c,x,d £ Z p . 

Assumption 3 (Symmetric external Diffie-Hellman) Let (p, 0 , 6,0 x,e) be a description of the asymmet¬ 
ric bilinear group of prime order p with the security parameter A. Let g,g be generators of G, G respectively. 
The assumption is that if the challenge values 

D = ((p,G,G,G T ,e),g,g,g a ,g b )mdT 


arc given, no PPT algorithm B can distinguish T = To = g ab from T = T\ = g c with more than a negligible 
advantage. The advantage of B is defined as Adv| 3 (A) = | Pr[£>(D, To) = 0] — Pr \B(D, T\) = 0] | where the 
probability is taken over the random choice of a,b.c £ Z p . 

Assumption 4 (Decisional Bilinear Diffie-Hellman) Let (p, G, 6, Gj,e) be a description of the asymmetric 
bilinear group of prime order p with the security parameter A. Let g,g be generators of 0,0 respectively. 
The assumption is that if the challenge values 

D = ((p, G,G,G r ,e), g,g a ,g b ,g c ,g,g a ,g b ,g c ) and T 


are given, no PPT algorithm B can distinguish T = Tq = e(g,g) abc from T = T\ = e(g,g) d with more than a 
negligible advantage. The advantage of B is defined as Adv| 4 (A) = | Prfi3(D. To) = 0] — Pr [B(D, T\) = 0] | 
where the probability is taken over the random choice of a,b,c,d £ Z p . 

Assumption 5 (Asymmetric 3-Party Diffie-Hellman) Let (p, 0,6, Or, e) be a description of the asymmet¬ 
ric bilinear group of prime order p with the security parameter A. Let g.g be generators of G, G respectively. 
The assumption is that if the challenge values 

D = ((p, 0,0,0 T ,c), g,g\g b ,g c ,g ab ,g a2b ,g,g a ,g b ) and T 

are given, no PPT algorithm B can distinguish T = To = g abc from T = T\ = g d with more than a negligible 
advantage. The advantage of B is defined as AdVg 5 (A) = | Pr[£>(D, To) = 0] — Pr[£>(D, T\) = 0] | where the 
probability is taken over the random choice of a.b.c.d £ Z p . 


3 Anonymous HIBE 

We construct an anonymous HIBE scheme in prime order (asymmetric) bilinear groups and prove its full 
model security under static assumptions. 

3.1 Construction 

Let T = Z*. Our anonymous HIBE scheme is described as follows: 



Setupf I ,/): This algorithm first generates the asymmetric bilinear groups G. G, G 7 of prime order p of 
bit size 0(A). It chooses random elements g G G and g G G. It also chooses random exponents 
V, , 02 G Z /: , and sets r = 0 1 + V 02 - Next, it selects random exponents y/ ; . {y u . }j =] ,y w , cx G Z /; and 
sets h = g yh ,h = g yh i{ui =g y “i,Uj = g y,l ‘}■_|,vv = It outputs a master key M* = (g.g a ,h, {w,}j =| ) 
and public parameters as 




g,g V ,g ' 


r , h } h v ,h T , {mpijpii T }' i=l , 


w T 


/v 0p /v 

,vwGw, 


Q = <Kg,,?) c 


KeyGen(ID,MK,PP): This algorithm takes as input a hierarchical identity /D = (X,... G X" 1 and the 
master key M/G It first selects random exponents n,ct,C2, {c3,i}j =m+ i G 20 and creates the decryption 
and delegation components of a private key as 

m 

*i,i=rm^r(^T, *1,2 = (w^r, *t , 3 =^ ci , 

/—i 

*2,1 =r i (^‘) C2 , *2,2 = (w 02 )" 2 , *2,3 =W C2 , 

{*3,1,1 = «?(w 01 ) C3 "', *3,1,2 = (w 02 ) C3 0 *3,1,3 = w C3 -}L+f 

Next, it selects random exponents r 2 ,C 4 ,C 5 ,{c 6 )( }| =m+1 G Z /; and creates the randomization compo¬ 
nents of the private key as 

m 

*t,i = * 1,2 = *i, 3 =w c4 , 

i=i 

*2,1 =r(w 01 ) C5 , *2,2 = (W 02 ) 05 , *2,3 =W C5 , 

{*3,1,1 = M- 2 (w 01 ) C6 G *3,1,2 = (w 02 ) C6 G *3,1,3 = W C6 ”}L+f 

Finally, it outputs a private key as 

SKjd = ( *1,1,*1,2,*1,3) *2,1,*2.2, *2,3) {*3,i,l ,*3,i,2,X-3,1',3}J=«i+l, 

*1,1,*1,2,*1,3, *2.1,*2,2,*2,3, {*3,i,l,*3,i',2,*3,i,3}/=m+l )• 


Delegate!/ D' , SKjd, XX): This algorithm takes as input a hierarchical identity ID' = (X,... ,/m+t) G X '" +1 
and a private key SKjo for a hierarchical identity ID = (X,... ,/,„) G X”' where ID is a prefix of ID'. 
Let (Wi,W 2 ,Wi) = (vv 01 ,m>Z,vv). It first selects random exponents y \. 0. <X, {cX .,}-_ m _ 2 G Z /: , and 
creates the decryption and delegation components of a delegated private key as 


(*1 ,k *1 X*3,m+l,fc *)”»'*), <»<3> 




1<*<3 ’ 


Next, it selects random exponents 7 ,. cX. 0. {S( ) j \ l i _ m _2 G Z p and creates the randomization compo¬ 
nents of the delegated private key as 


(K\f = KK,> ( R 2,» = { (*W = «G<') KK,}!., 


m+2’ 
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Finally, it outputs a delegated private key as 


SKid' = (k[ a ,K[ 2 ,K[^ k'^k'^k'^ „,. 2 - 

p/ pf pf pf pf pf f pf pf pf \l 

^1,1j a 1,2> a 1,3> A 2,1’ A 2,2> A 2,3> I a 3,i, 1 » A 3,i,2> A 3,/,3Ji=m+2 


The distribution of the delegated private key is the same as the original private key since the random 
values are defined as r\ = r\ + >' 2 Y\ . r' 2 = r 2 72 where r\ . r 2 are random exponents in the private key 
SKid . Note that c.\ . e 2 , {c 3 :J },C 4 ,C 5 , {cy,.,} arc perfectly re-randomized since viT 1 , vv 02 , w are publicly 
known and 8 \. &>. {<5 2 .,}. 85 , {&,.,■} are chosen randomly. 

Encrypt (ID,M,PP): This algorithm takes as input a hierarchical identity ID = (7 1 .... ,/„) £ X", a message 
M £ G t , and the public parameter PP. It selects a random exponent t £ Z p and outputs a ciphertext 
as 


CT = [C = QlM, C u = g f , C h2 = (g v Y, C 1,3 = (g"7, 


c 2,i - {iiYi^y, c 2 ,2 - (^nw) 4 )*. c T 3 = T riK r yy 


i=t 


(=t 


i=i 


DecryptfCT. SK/d-PP): This algorithm takes as input a ciphertext CT and a private key SKid for a hierar¬ 
chical identity ID = It outputs the encrypted message as 

3 3 

M <r- C • n e{C u , K^i)- 1 • Yl e(C 2 ,i, K 2j ) . 

i— 1 i— 1 


3.2 Correctness 


The first condition of the correctness property can be easily checked by the following equation as 


Y\e(C u ,K u ) 1 ■Y[e(C 2 ,i,K 2 , i ) = e(g‘ ,g a (hf\ul) n ) 1 • e({h\\Jjy ,g n ) = e(g,g)~ 

(=1 i= 1 ;'= 1 i= 1 


since the inner product of (1, v,— t) and (</>j, </) 2 , I) are zero. The second condition of the correctness prop¬ 
erty can be satisfied by using the technique of Boneh and Waters lfl2l that uses the limited message space. 
If we use a computational condition instead of a statistical condition, then we can achieve weak robustness 
by using the transformation of Abdalla et al. 0. 


3.3 Security Analysis 

Theorem 3.1. The above anonymous HIBE scheme is fully secure under a chosen plaintext attack if Assump¬ 
tions 1, 2, 3, 4 and 5 hold. That is, for any PPT adversary A, there exist PPTalgorithms B \, B 2 . B 2 . B 4 , and 
£>5 such that 

Adv^ IBE {X) <Adv^\(X) + q(Adv^ 2 (X) +Adv^l(X)) +Adv^(X) AAdv^^X). 
where q is the maximum number of private key queries of A. 
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Proof. To prove the security of our scheme, we use the dual system encryption technique of Ii33li45l . We 
first describe a semi-functional key generation algorithm and a semi-functional encryption algorithm. They 
are not used in a real system, but they are used in the security proof. For semi-functionality, we set / = 
g y f , f = g y f where >>/■ is a random exponent in 7L p . 


KeyGenSF-1. The semi-functional type-1 key generation algorithm first creates a normal private key using 
the master key. Let [K\ x ,..., {K 1 -. ■ j,... ,R' 3 ■ 3 }-_ m+ 1 ) be the normal private key of a hierarchical iden¬ 
tity ID = (/],. with random exponents nj^ 2 ,ci,C 2 ,{c 3 ) ,},C 4 ,C 5 ,{c 6 ) ;} € Z p . It selects random 
exponents Sk,i,Zk,i,{zk, 2 ,i} l i =m+ i,Sk ,2 G Z p and outputs a semi-functional type -1 private key as 


* 1,1 = 
K 2 j = 
{•£ 3 , 1,1 
*1,1 = 
* 2,1 = 
{*3,i,l 


KlAf- 


vy*,izt,i 


K h 2 = K[Jw, k 13 = k[ 3 , 


K^(r v y^,K 2 . 2 = 

^tCTT’ 1 ^, 
^t,t(r v ) w ! Ri,i 
R 2 ,i(f~ v y k '\ R2.2 = 


K’l.ih' - * 2,3 = * 2 , 3 , 

>■3.1.2 l^. 2 .M Ui - L w =L' 3J3 y. =m+v 

= R\ J S ^-'. R ]3 =R\ 3 , 

* 2 , 2 /^, * 2,3 =* 2 , 3 > 

R3:a = R'3,J Sk - 2ZkX ', R3,i,3=R'3,i,3}l m+V 


Note that the randomization components should contain the semi-functional part since this semi¬ 
functional part enables the correct simulation of the security proof for anonymity. 


KeyGenSF-2. The semi-functional type-2 key generation algorithm first creates a normal private key using 
the master key. Let ( K[ j,..., {R 31; ... ,R 3 i3 }\ =m , j) be the normal private key of a hierarchical 
identity ID = It selects random exponents s kA ,Zk.\■ {zk. 2 .i) l i _ m+] ,s k 2 ,Zk 3 -{zkA.i ) l i _ m ,, £ 

Z p and outputs a semi-functional type-2 private key the same as the semi-functional type-1 private 
key except that the randomization components are generated as 


=* , i,i(r v ) w , *1,2=*'1,2/™, *1,3=*'1.3, 

* 2.1 =R 2 Ar v y k y * 2 , 2 =R 2 J Sk y * 2 , 3 =r 23 , 

{*3,/,l =Ry,lir V y m ‘, *3,/,2 = RxiJ SkaZkA P R3,U3 



l 

i—m +1 ‘ 


Note that new random exponents Zk, 3 , {zkA,i}\ = \ are chosen to generate the randomization components 
of the semi-functional type-2 private key, whereas the same exponents Zk, 1 • {zk, 2 ,/}; = t °f the decryption 
and delegation components are used to generate the randomization components in the semi-functional 
type-1 private key. 


EncryptSF. The semi-functional encryption algorithm first creates a normal ciphertext using the public 
parameters. Let (C'.C' X ,...,C 23 ) be the normal ciphertext. It selects random exponents s c ,z c £ Z p 
and outputs a semi-functional ciphertext as 

c = c', c u = c' u , Cl, 2 = c' u /% Cl,3 = c' 1)3 (r^)\ 
c 2 ,i = c' 2A , c 2 , 2 = c r 23 f cZc , c 2 ,3 = c' 23 (r^y^. 


If we decrypt a semi-functional ciphertext by using a semi-functional type-2 private key, then the decryp¬ 
tion fails since an additional element e(f,f) Sc ^ Sk ’ lZk ’ l+Sk ’ 2Zk ’ 3 ^~^ Sk ' 1+Sk < 2 '^ Zc ' > remains. Note that the decryption 
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can be done after re-randomizing the private key using a random exponent y. If (sk.]Zk.\ + Sk. 2 Z.k 3 Y) = 
(sjt.i + ! 'k 2 y)z,c then the decryption algorithm succeeds. However, the probability of this is negligible since 
Sk,i,Sk,2,Zk,i,Zk,3,Zc,Y are randomly chosen. In case of the semi-functional type-1 private key, the addi¬ 
tional random element can be restated as e(f, f)^ k ’ l+Sk ’ 2l ^ Sc ^ Zk ’ 1 ~ Zc \ If Zk, 1 = z c , then the decryption algorithm 
succeeds. In this case, we say that the private key is nominally semi-functional type-1. 

The security proof consists of a sequence of games. The first game will be the original security game 
and the last one will be a game such that the adversary has no advantage. We define the games as follows: 

Game Go. This game is the original security game. That is, the private keys and the challenge ciphertext 
are normal. 

Game Gj. We first modify Go into a new game Gj. This game is almost identical to Go except that the 
challenge ciphertext is semi-functional. 

Game G 2 . Next, we modify Gi into a game G 2 . In this game, the private keys are semi-functional type-2 
and the challenge ciphertext is semi-functional. Suppose that an adversary makes at most q private 
key queries. For the security proof, we define a sequence of games Gpo, ■ ■ ■, Gj t ,Gn,..., Gi , 9 where 
Gj,o = Gi. In Gj k and Gyr, a normal private key is given to the adversary for all j- th private key 
queries such that j > k and a semi-functional type -2 private key is given to the adversary for all j- th 
private key queries such that j < k. However, for k-th private key query, a semi-functional type-1 
private key is given to the adversary in G, k where as a semi-functional type-2 private key is given in 
Gi t jfc. It is obvious that Gi )9 is equal to G 2 . 

Game G 3 . We now define a new game. This game differs from G 2 where the challenge ciphertext compo¬ 
nent C is replaced by a random element in Gj- 

Game G 4 . Finally, we change G 3 to a new game G 4 . In this game, the semi-functional ciphertext compo¬ 
nents ( 02 , 1 ^ 2 , 2 ^ 2 , 3 ) are formed as (P 1 . (P v ) l f s,:Z ' : , (P T )' (/^ 2 )' V;Z ' ; ) where P is a random element in 
G. In this game, the challenge ciphertext gives no information about the random coin y. Therefore, 
the adversary can win this game with probability at most 1 / 2 . 

Let Adv 4 be the advantage of A in Gy for j = 0,... ,4. Let Adv^ 1 " and Adv ( / be the advantage of A in 
Gi,* and G( k for k = 0,... ,< 7 . It is clear that Ad\^ IBE (X) = AdvJ, Adv ^ 10 = AdvJ, Adv^ 1 ’'' = AdvJ, 
and Adv ^ 4 = 0. From the following five Lemmas, we obtain that it is hard to distinguish G, \ from G, 
under the given assumptions. Therefore, we have that 

3 4 

Adv(f /B£ (A) = AdvJ + £ ( Adv S “ Adv S) “ Adv S 4 < E | Adv 2 _1 - Adv 21 

i=l i= 1 

= Ad 4! (^) + L ( Adv e?(A) + Adv B? (^)) + Advg^(A) + Ad\f 5 (A). 

k= 1 

This completes our proof of Theorem l3.ll □ 

Lemma 3.2. If Assumption 1 holds, then no PPT algorithm can distinguish between Go and Gi with a 
non-negligible advantage. That is, for any adversary A, there exists a PPT algorithm B\ such that Adv^f — 
Adv°f | =Advgj(A). 
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Lemma 3.3. If Assumption 2 holds, then no PPT algorithm can distinguish between G\ k -\ and G\ k with 
a non-negligible advantage. That is, for any adversary A, there exists a PPT algorithm Bi such that 

\Adv2 k -' -Adv G } k | =Advf 2 (X). 

Lemma 3.4. If Assumption 3 holds, then no PPT algorithm can distinguish between G\ k and G\ k with a 
non-negligible advantage. That is, for any adversary A, there exists a PPT algorithm £>3 such that \Adv^' k — 
Adv°^ k | = Adv B 3 3 (f). 

Lemma 3.5. If Assumption 4 holds, then no PPT algorithm can distinguish between G 2 and G 3 with a 
non-negligible advantage. That is, for any adversary A, there exists a PPT algorithm £>4 such that \Adv°f — 
Adv^f | =Adv A B 4 4 (l). 

Lemma 3.6. If Assumption 5 holds, then no PPT algorithm can distinguish between G 3 and G 4 with a 
non-negligible advantage. That is, for any adversary A, there exists a PPT algorithm £>5 such that | Adv G f — 
Adv°f | =Advf 5 ( A). 

The security proof of Lemmas l3.2[ 13.3113.41. 13.51 and !3.6l are given in Section [5] 

3.4 Extensions 

Relaxed Security Model. The original security experiment of anonymous HIBE requires that an adversary 
should select two hierarchical identities I D* {) . I D\ G Z n with equal depth n [0. One possible relaxation of 
the security experiment of anonymous HIBE is to allow the adversary to select two hierarchical identities 
IDq G T n ,ID* G X" 2 with different depths n\ ,/G- Our scheme is also fully secure in this relaxed security 
experiment since the ciphertext size is constant. The two challenge hierarchical identities with different 
depths only matter in the security proof that distinguishes G 3 from G 4 . In that proof, we showed that the 
adversary cannot distinguish the challenge hierarchical identity /£>* from a random value. Thus our scheme 
is secure in this relaxed experiment since the ciphertext size does not reveal the depth of the hierarchical 
identity. 

4 Performance Analysis 

In this section, we analyze the running time of our scheme, and then we measure the performance of the 
scheme by implementing it. 

4.1 Runtime Analysis 

To analyze the efficiency of our scheme, we use the abstract cost of expensive mathematical operations. In 
bilinear groups, the expensive operations are exponentiation operations and pairing operations. Additionally, 
the efficiency of exponentiations and pairings can be improved by doing m- term exponentiations and m-term 
pairings respectively. The abstract cost of these operations is defined as follows: 

• MPairCostfG.G.m): m- term pairing e(gi,hi) where g ( - G G./r, G G 

• PairCost(G,G): pairing e(g,h) where g G G,h G G 

• MExpCostfG.mj: m- term exponentiation fl/'Ii §f where gi G G 
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• ExpCost(G): exponentiation g a where g € G 

Let Z be the maximum number of hierarchical depth and d be the depth of ID. We define the abstract costs 
of the setup algorithm, the key generation algorithm, the delegation algorithm, the encryption algorithm, and 
the decryption algorithm as SetupCost,GenCost, DelCost, EncCost, DecCost respectively. The abstract 
costs of these algorithm are obtained as follows: 

SetupCost(/) > {21 + 4) * ExpCost(G) + 2 * ExpCost(G) + PairCost(G, G), 

GenCost (l,d) > (4(7- d) + 4)*ExpCost(G) + (2(Z - rZ) + 2) * MExpCost(G, 2) 

+ — * MExpCost(G,m), 

m 

DelCost(Z.d) > (6(Z -d) + 6) *MExpCost(G,2) + 9* ExpCost(G), 

EncCost (d) > — *MExpCost(G,m) + 6*ExpCost(G) + ExpCost(G 7 -), 
m 

DecCost > 2*MPairCost(G,G,3). 

In asymmetric bilinear groups, the bit size of G and the bit size of Gj increase proportionally to the 
embedding degree of asymmetric bilinear groups. Thus the cost of exponentiation in G is higher than the 
cost of exponentiation in G. In our scheme, the cost of the key generation algorithm and the cost of the 
delegation algorithm are higher than the cost of other algorithm since our scheme uses group elements in 
G for ciphertexts and group elements in G for private keys, and these costs decrease proportionally to the 
depth of ID. The cost of the encryption algorithm is small since it uses m- term exponentiations in G, and 
the cost of the decryption algorithm is constant. 

4.2 Implementation 

To show the efficiency of our scheme, we present the implementation of our scheme and analyze the per¬ 
formance of it. We use the Pairing Based Cryptography (PBC) library ll35ll to implement our scheme, and 
we use a notebook computer with an Intel Core i5 2.53 GHz CPU as a test machine. We select a 175-bit 
Miyaji-Nakabayashi-Takano (MNT) curve with embedding degree 6. In the 175-bit MNT curve, the group 
size of G is about 175 bits, the group size of G is about 525 bits, and the group size of G j is about 1050 bits. 
The PBC library on the test machine can compute an exponentiation of G in 1.6 ms, an exponentiation of G 
in 20.3 ms, an exponentiation of Gj in 4.7 ms, and a pairing in 15.6 ms. Additionally, the PBC library can 
compute a three-term multi-exponentiation of G in 2.1 ms, a two-term multi-exponentiation of G in 27.3 ms, 
a three-term multi-exponentiation of G in 28.6 ms, and a three-term multi-pairing in 31.2 ms. Therefore, we 
can obtain the cost of our scheme using the 175-bit MNT curve on the test machine as follows: 

GenCost(M) > 135.8 * (Z - d) + 9.5 *d+ 135.8 ms, 

DelCost(Z,rZ) > 163.8 * (Z — d) + 346.5 ms, 

EncCost(d) > 2.1 *d+ 14.3 ms, 

DecCost > 62.4 ms. 

Let Z = 30. The performance results of each algorithms are described in Figure |T| The setup algorithm 
takes about 0.936 seconds to generate the public parameters and the master key. The key generation algo¬ 
rithm and the delegation algorithm for one depth take about 4.259 seconds and 5.257 seconds respectively. 
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(a) key generation time (b) delegation time (c) encryption, decryption time 



Figure 1: Performance of our fflBE scheme 


One method to improve the performance of the key generation algorithm is to preprocess the public param¬ 
eters and the master key. If the preprocessing method is used, then the cost of the key generation algorithm 
is reduced to 1/5. This method also can be used in the delegation algorithm. 


5 Proof of Lemmas 

In this section, we give the security proofs of Lemmas for our HIBE scheme. 


5.1 Proof of Lemma [3T2] (Indistinguishability of Go and Gi) 

In this proof, private keys are normal and the challenge ciphertext should be normal or semi-functional 
depending on the T value of the given assumption. The main idea of this proof is that a simulator can only 
create normal private keys since an element for semi-functional private keys is not given in the assumption 
and the simulator embeds the T element of the assumption into the challenge ciphertext. 

Simulator. Suppose there exists an adversary A that distinguishes between Go and Gi with a non- 
negligible advantage. A simulator B\ that breaks Assumption 1 using A is given: a challenge tuple 
D = (( p,G,G,G T ,e),k,k a ,k b ,k ab 2 ,k b 2 ,k b 3 ,k c ,k ac ,k bc ,k l, 2 c ,k b 3 c ,k,k b ) and T where T = T 0 = k ab2c or T = 
T\ = k abc ' d . Then B\ that interacts with A is described as follows: B\ first chooses random exponents 
fc,B,{Aj} l i=l ,a G TL p and random blinding values y g ,yh, {y Ui }j =] ,y w G 7L p . It implicitly sets v = a,(pi = 
b,T = b + a(j) 2 and creates the public parameters as 


g=k b 2 k y z, g v =k ab2 {k a ) y A g~ x = (k b \k b y^k ab2 )^(k a ) y ^-)- 1 , 

h = {k b2 ) B k y \ h v = (k ab2 ) B (k a y h , h~ r = ({k b3 ) B {k b y h (k abl ) B ^{k a y^)-\ 

{ Ui = {k b2 ) A 'k y ‘\ u] = (k ab2 ) Ai {k a ) y "‘, ur x = ( (k b3 ) Ai (k b ) yu i(k abi ) Ai< ^(k a ) 3 '“ i ^) _ 1 }| 
w* = (k b ) y A w 02 = P w<h , w = k y \ Cl = (e(k b \k b ) ■ e{k b2 ,k) 2y ^e(k,k)^) a . 


=i’ 


A i 2 A A A | 2 n ^ A i 2 i A 

It also implicitly sets g = k k y ".h = k° k yh ,Ui = k r 'k y, ‘< for the master key, but it cannot create these 
elements since k b ~ is not given. Additionally, it sets f = k,f = k for the semi-functional ciphertext and 
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private key. Let A (ID) = }’/j + E/l| }’«,/< and \ (ID) = B + YliL\ A ,7/ where ID = (/],... yl adaptively 
requests a private key for ID = (7i,...,7 m ). To response the private key query, B\ first selects random 
exponents , ( }- =m+1 € Z p . It implicitly sets c\ = -b(a + T(ID)r\) /y w + c\, co_ = ~br l /y w + 

c' 2 , {c 3 ,; = —M,ri/y w + C 3 ,-}| =m+1 and creates the decryption and delegation components of a private key 
as 


K u = ^«+ A (/z5)n)c; ^ Ki 2 = Kl 3 = (P)-(a+r(/D)r 1 )^ C ' 1; 

* 2,1 = P sn (w^, Ko _0 = {K 2 , 3 )^, 70,3 = (P)- n W C L 

{L 3 ,u =^“di(^>) c '3, i , l 3 . 2 = ( 7 ^, 3 )^, Z. 3) ,\3 = (P)^'-'w^}; =m+1 . 

It also creates the randomization components of a private key similarly by selecting random exponents 
r 2 • ( 4 ■ <; 5 , {<{ / }/-« 1 1 ^ except that 7?i,i does not have g a . We omit the detailed description of these. In 
the challenge step, A submits two challenge hierarchical identities 7 Dq = (7q j ,..., 7q j; ), I D\ = (7* x ,..., 7j n ) 
and two messages Mq,M{. B\ flips a random coin y £ {0,1} internally. It implicitly sets t = c and creates a 
challenge ciphertext as 

C = {e(k b3c ,k b )-e{k h2c ,k) 2y ^e{k c ,k)^) a -M*, 

c hl =k b2c {k c ys, Ci , 2 = T(k ac y", Ci , 3 = ((P^xP^r^r 0 )^)- 1 , 

C 2 ,1 = (k b2c ) r ^ ID r\k c )^ ID y\ C20 = (r) r ( /D P(r c )A(®*r>, 

c 23 = ((k fc 3 c ) r ^ £) r)(A: fec ) A ( /£) r)(r) < ^ r ^ D r)(k ae )^2 A ( /D r))” 1 . 

Finally, A outputs a guess /. If y= /, £>1 outputs 0. Otherwise, it outputs 1. 

Analysis. We first show that the distribution of the simulation using D,T = To = k al)2c is the same as Go- 
The public parameters are correctly distributed since the random blinding values y g ,yh, {>’«,} A’h’ arc used. 
The private key is correctly distributed as 

m m 

K\ \ = g a (hvf{) n (iP 1 ) C| = (P +y *)“(P B+yh f] k^+y-A-y 1 (p.n-) -b(a+T(iD)n)ly„+c\ 

i= 1 i— 1 

= j^y s a+ A (/D)ri -jc' , 

K 2 ,l =| ri (w ^) C2 = (p 2 + %) ri (P^)- fer l /^ +C, 2 =ps'' 1 (|V^) C 2 , 

L 3 , u = u-yw^Y 3 ’ 1 = (p 2Ai+ W)''i(py-)- M -'- 1 /y w +4, i = ^,.0^01)4,,.. 

Note that it can create a normal private key since ci,C 2 ,{c 3 ,,-},C 4 ,C 5 ,{c 6 ,i} enable the cancellation of P", 
but it cannot create a semi-functional private key since P is not given. The challenge ciphertext is correctly 
distributed as 


c u = g < = (p 2+ ^) c = P 2 c (p>\ Ci, 2 = ( g v y = k {b2+y s )ac = T 0 (k ac y *, 

Ci, 3 = (g~ T ) f = (p^+^+^-F )- 1 = ((p 3 c )(p c )%(r 0 )^(r c ) y ^ 2 )- 1 , 

c 2 ,i= (An«?') f = (p'^np^+^^'T =(p 2c )W(k e ) A ( /D *r), 

/=1 1=1 

C 2 ,2 = (h v fl(ujfr)y = (k^ B+y *)“f\k^ Ai+y ">^ c = (r 0 ) r(/D { ) (P c ) A(/D {), 

7=1 7=1 
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C 2) 3 


(h~ T Y[{u 7T ) I *’ i ) t = ((A:^ B+;VA ^ fe+a ^^F[fc ^ 2Ai+:y “>^ fe+a ^ 2 ^‘) c ) _1 

*=1 i=l 

((2 fo3c ) r ( /D P (k bc )■ A ( /Z) r) ( Tq ) ^ r ( /D P (2 ac ) ^A ID * r ))~ 1 . 


We next show that the distribution of the simulation using D,T = T\ = k ab ~ c+d i s the same as Gi. We only 
consider the distribution of the challenge ciphertext since T is only used in the challenge ciphertext. The 
only difference between 7o and T\ is that T\ additionally has k d . Thus Ci )2 ,Ci 3 ,C 2 , 2 ,C 2,3 components that 
have T in the simulation additionally have k d , (k d )~^ 2 , (k d ) 1 • ,D V >. (k d ) respectively. If we implicitly 

set s c = d, 7 , c = T {ID*), then the challenge ciphertext is semi-functional. The distribution of this semi¬ 
functional challenge ciphertext is the same as Gj since B. {,4,} for z c are information theoretically hidden 
to A. We obtain Pr[£>i (D. Tq) = 0] — 1/2 = Adv^° and Pr[25 1 (D, 7i) = 0] — 1/2 = AdvJ from the above 
analysis. Thus, we can easily derive the advantage of B\ as 

Adv£ (A) = | Pr[B! (D, T 0 ) = 0] - Pi[Bi (D, T\) = 0]| = |AdvJ - AdvJ 1 |. 

This completes our proof. 

5.2 Proof of Lemma [3T3] (Indistinguishability of G|^-i and G, k ) 

In this proof, the challenge ciphertext is semi-functional and the 2-th private key should be normal or semi¬ 
functional type-1 depending on the T value of the given assumption. However, the paradox of dual system 
encryption occurs in this proof since a simulator can create a semi-functional ciphertext to check the type 
of the 2-th private key by decrypting the semi-functional ciphertext using the 2-the private key. The main 
idea to solve this paradox is to use a nominally semi-functional type-1 private key. If the 2-th private key is 
nominally semi-functional type- 1 , then z,k,\ of the nominally semi-functional private key is the same as the 
z c of a semi-functional challenge ciphertext. Thus the simulator cannot distinguish the type of 2-th private 
key since the decryption of the semi-functional ciphertext using the 2 -th private key always succeeds. 

Before proving this lemma, we introduce Assumption 2-A as follows: Let (p,G,G,Gj,e) be a descrip¬ 
tion of the asymmetric bilinear group of prime order p. Let g,g be generators of G,G respectively. As¬ 
sumption 2-A is that if the challenge values D = ((p, G, G. G 7 ,<?).2.2°, 2" 2 . k hx . k ahx , k irx .k.k",k b . k y 1 .2- v -) 
and T = (D\.D 2 ) are given, no PPT algorithm can distinguish T = (k hy ',k hy -) from T = (k d{ ,ic d2 ) with more 
than a negligible advantage. It is easy to show that if there exists an adversary that breaks Assumption 
2-A, then an algorithm can break Assumption 2 with the same probability by setting k yi = (k b ) n k Sl ,k n = 
(k b ) r 2 k S 2 ,D[ = (r) ri (2 c )"‘,D 2 = ( T) ri (k c ) Sl where k b ,k c ,T are given in Assumption 2 and r\ : r 2 ..s’i ,.s ’2 are 
random exponents in 7L p . The simulated values are correctly distributed since there exists one-to-one corre¬ 
spondence between {n,si,r 2 ,S 2 } and {yi,y 2 ,d\,d 2 }. 

Simulator. Suppose there exists an adversary A that distinguishes between G^-i and G, k with a 
non-negligible advantage. A simulator £>2 that breaks Assumption 2-A using A is given: a challenge tuple 
D = {(p,G,G,G T ,e)AXX 2 ,k bx X bx t b A y2 ) and T = (D h D 2 ) where T = T 0 = (D/.D 1 /) = 
(k byi , % by2 ) or T = T\ = (D\.D\) = (k byi+dl ,k by2+d2 ). Then that interacts with A is described as follows: 
B 2 first chooses random exponents v,y r ,B , {A,-}| =1 , a £ Z /; and random blinding values >>/,, {y Ui }| | ,y w £ 7L p . 
It implicitly sets (j)\ = — vb + (a + y T ), 0 2 = b, z = a +y T and creates the public parameters as 

g =k a ,g v = (k a r,g^=(k a 2 (k a x)-\ 

h = {k a ) B k y \ h v = (k a ) Bv k yhV , h~ z = ((k a 2 ) B (k a ) yi ’ +By 'k y " y *)-\ 
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{ Ui = (k a ) Ai k y “i, uj = (k a ) A - v k y “i v , uj x = ((k a2 ) Ai (k a y u ’ +A ^k y ''^)- l } l i=v 
w 01 = (( k b )- v k a k y *) yw , w ^ 2 = (k b Y w , w = k y ",Q. = e(k a ,k a ) a . 

It also sets g = k a ,g a = ( k a ) a ,h = (k a ) B k yh ,{uj = (k a ) Ai k yu '} l i=l for the master key. Additionally, it sets 
f = k,f = k for the semi-functional ciphertext and private key. Let A (ID) = yn + J_T-\ >’«/< anc * r(/D) = 
B + YXLiAjlj where ID — (7|. ,I m ). A adaptively requests a private key for ID = (7i,... ,/ m ). If this is a 
j-th private key query, then £>2 handles this query as follows: 

• Case j < k : It creates a semi-functional private key by calling KeyGenSF-2 since it knows the master 
key and the tuple (f v , f. 1 ) for the semi-functional private key. 

• Case j = k : It first selects random exponents r\ , c\.c ' 2 , {('3 ,}- =m+1 G Z p . It implicitly sets r\ = —yj + 
r \, ci =y 1 r(/D)/y vv + c , l . c 2 = yi/y w + c 2 > {c 3 ,; = yiAj/y w + c/ 3 ji }j = „, +1 and creates the decryption 
and delegation components of a private key as 

m 

K\ \ = g a ( k yi y A{ID) (h ) r > (Di )' vr(/D) ( k yi )^ r ( /Z) ) (w<h f , 

i— 1 

= (Di) r(/D) (w^ 2 ) e 'i, A"i 3 = (L Vl ) r(/D) w c 'i, 

^ 2,1 =g^{D l y v (P i yyw^,K 2 ,2 = D i (w^, k 23 = P'w 

! = (^)-^wf I (Z)i)- vA '(^ I ) 3 '* A '(w^)^, L 3i ,-2 = (^'(w* 2 )^, 

L3,,3 = (^) A '^'}L + f 

It also creates the randomization components of a private key similarly by selecting random expo¬ 
nents ^ 2 , 04 , 05 , {eg ( }| =m+1 £ h p except that it uses P 2 ,D 2 instead of P 1 .D\. We omit the detailed 
description of these. 

• Case j > k : It creates a normal private key by calling KeyGen since it knows the master key. 

In the challenge step, A submits two challenge hierarchical identities /Dq = (7q ,,...,/ ( , n ),ID\ = (7j 1 ,.... p n ') 
and two messages Mq,M*. B 2 flips a random coin y £ { 0 , 1 } internally and chooses a random exponent 
t’ £ Z p . It implicitly sets t = bx + t', s c = —a 2 x, z, c = T(7D*) and creates a semi-functional ciphertext as 

C =e(k abx ,k a ) a -e(k a ,k a ) at '-M*, 

c M =k abx 8 t ', c 1>2 = (k abx y(g v Y(k a2x y\ c 1>3 = (k ab - x y yz (g- T Y, 
c 2 ,i = (k abx f {ID V (k bx y {ID v (h fj i/y y', 

i= 1 

c 2 ,2 = (k abx f ID P v (k bx f ID P v (h v f\(uj fry' (k alx ) - r(/D r), 

(= 1 

C 2 , 3 = (^)- r (®r)^(^)-A(ro*) ( k bxyA(ID*)y, . 

7=1 

Finally, A outputs a guess /. If y = /, £> 2 outputs 0. Otherwise, it outputs 1. 

Analysis. We first show that the distribution of the simulation using D. T$ = (D^D®) = (k by ', k byi ) 
is the same as G| ./ ( _]. The public parameters arc correctly distributed since the random blinding values 
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yiii >’ vv arc used. The k-th private key is coiTectly distributed as 

m m 

K\ i = g a (hY\u!) ri {y\ i>^) C| =g“(k aB +V; I p^^(aA,+.v l ,,.)/,^-ri+/ 1 ^y w (-vt)+a+.v T )^ 1 r(/D)/.y lt ,+c ' 1 

i— 1 i= 1 

m 

= g a {k n ) ~ A(/Z)) (/i n ) r ‘ Pi) - vr(/Z)) (k Vl ) v * r(/D) (h^ 1 ) c 'i, 

1=1 

#2 ! = g ri (w^ l ) C2 = (k a )~ yi+ ^(k yw (- yb+a+y ^) yi,yw+c!2 = g ^ 1 (D° i y v (k yi Y r (w^y 2 , 

L 3i j = u r - 1 (w^y 3 * = (k^ i+y y~ yi+,J i(P^~ vb+a+y ^y iA ^ yw+c '^ 

= (P’ l )~ y “<u} (D° l )~ vAi (k Vl ) y%Ai (w^ Y 3 ’ 1 . 

The semi-functional challenge ciphertext is correctly distributed as 

C M =/ = (k a ) to+f '=k a V, 

c 1)2 = (g v yf c = (k av ) bx+tl k~° 2x = (k abx y(g v y , (k a2x )- 1 , 

Ci, 3 = (g-^ir^y = {k<~ a - y ^) bx+t 'k~ b{ - a2x) = (k abx )- y y g - x y ', 

c 2 ,t = (hfli/yy = (k aB+yh Y\( k aA ' + yyiy) bx+t ' = (A^ fce ) r ( / - D r) (a**) A ( JZ> r) (/»■' )*', 

i=l /—1 i= 1 

c 2 . 2 =(A v n(«n /? -o f (/ ,c ) ze =(k (f ' B+ ^ )v i^(k (aA ' + - v “- )v ) / r') fo+, ^^ ali:r(/ ^ ) 

i— 1 i— 1 

= (ik afac ) r ( /D r) v (k bx ) A(ID r )v {h v fj (uj fry*' (k fl2j )" r(/Z) r), 

/—I 

c 2 ,3 = (*- T n(0^)‘(r*)** 

/=t 

= (A:(‘ aS +V/i) (—«—>t) J~[ (^C<=rA, +v„,- ) (—<3—)/* 5 , £>(—aTv) r (/Z5*) 

i—\ 

n 

= (k abx )~ T ( ID y) y * (J<? bx y K ( ID y) (Jc bx )~ K ( ID y) y * (h-^Y^U-y^y'. 

i= 1 

Note that it can create the semi-functional ciphertext with only fixed z c = r (ID*) since s c ,z c enable the 
cancellation of k crbx . Even though the simulator uses the fixed z c , the distribution of z c is coiTect since 
B. {A ,} for z c are information theoretically hidden to A. We next show that the distribution of the simula¬ 
tion using D. T\ = (D\ .By) = (k byi 1 d> ,k hyiydl -) is the same as Gj k except the k-th private key is nominally 
semi-functional. We only consider the distribution of the k-th private key since T = (D],D 2 ) is only used 
in the k-th private key. The only difference between T {) = (Z)J,f^) and T\ = (I) \.D\) is that T\ = (f)\ J)\) 
additionally has ( k d \k dl ). The decryption and delegation components K\\,K\3.K2\. K2.2, {kru .Z.3 /2} 
that have I)\ in the simulation additionally have (k rfl ) _vF ( /D ), (k rf i) r (®) ? ( k d i )~ v ,jc dl , {( k dl )~ vA/ , (k dl ) Aj } re¬ 
spectively. The randomization components R[ \,R[ 2 ,^2,11^2,2; {^3,1,1 >^3,1,2} that have D 2 i n the simulation 
also have the additional values except that k dl - is used instead of k di . If we implicitly set s&,i = d\,Zk,\ = 
r {ID),{zk,2,i = - s k,2 = d 2 , then the distribution of the k-th private key is the same as G, k except 

that the k-the private key is nominally semi-functional type- 1 . 

Finally, we show that the adversary cannot distinguish the nominally semi-functional type-1 private key 
from the semi-functional type-1 private key. The main idea of this proof is that the adversary cannot request 
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a private key for ID that is a prefix of a challenge identity ID* in the security model. Suppose there exists 
an unbounded adversary, then the adversary can gather the values Zk ,t = I (ID) = B + A,7 ( \ {zk, 2 .i = 

Ai} l i=m+ 1 from the k-the private key query for ID = (I\,... ,I m ) and z c = r(/D*) = B + £“ = 1 A,7* • from the 
challenge ciphertext for ID* = (/* j,... ,/*„). In case of 7 ? > m, the values that are revealed to the adversary 
are described as 

/ B \ 


n 

J* . 

• I* 

y,m 

/* 

y,ra+1 

• •• o\ 


Ai 


( Z c ^ 

1 

h • 

hn 

0 

... 0 




Zk,l 

0 

0 • 

•• 0 

1 

... 0 


A-m 

= 

Zk,2,m+l 







^m+1 



\0 

0 • 

•• 0 

0 

... 1 ) 


V A, ) 


V z k.2J / 


It is easy to show that the row rank of the above (Z — m + 2) x (/ + 1) matrix is l — m + 2 since there 
exists an index j such that Ij / I* ■. It means that the above matrix is non-singular. In case of n < m, the 
revealed values to the adversary also can be described as a similar matrix equation as the above one. The 
row rank of this (Z — m + 2) x (/ + 1) matrix is Z — m + 2 since I m A 0. Therefore these values look random 
to the unbounded adversary since the matrixes for two cases are non-singular and B.A 1 .... .A/ are chosen 

randomly. We obtain Pr[Z? 2 (A To) = 0] — 1/2 = AdvJ ’* -1 and Pr[£> 2 fD. T\) = 0] — 1/2 = Adv^ l,<: from the 
above analysis. Thus, we can easily derive the advantage of Bi as 

Adv^(A) = \Pt[B 2 (D,To)=0}-Pt[B 2 (D,T 1 )=0}\ = |AdyJ^‘ -AdvJ*|. 

This completes our proof. 

5.3 Proof of Lemma [3T4] (Indistinguishability of G, k and G 1 

In this proof, the challenge ciphertext is semi-functional and the k-th private key should be semi-functional 
type-1 or semi-functional type-2 depending on the T value of the given assumption. The main idea of this 
proof is to show that the semi-functional type -1 and semi-functional type -2 private keys are computationally 
indistinguishable using the given assumption. 

Before proving this lemma, we introduce Assumption 3-A as follows: Let (p,G,G,Gj,e) be a de¬ 
scription of the asymmetric bilinear group of prime order p. Let g,g be generators of G,G respectively. 
Assumption 3-A is that if the challenge values D = ((p,G,&,GT,e),k,k,ic Xl ,k X2 ’ 1 ,... ,‘k C2 ^ l ^k y ) and T = 
(D\ ,£> 2 . 1 ,... J-hj) are given, no PPT algorithm can distinguish T = To = (k x ' y \k X2Ay ,... ,k x ' xiy ) from T = 
T\ = (k d] , k ' l2A .... , k d - J ) with more than a negligible advantage. It is easy to show that if there exists an 
adversary that breaks Assumption 3-A, then an algorithm can break Assumption 3 with the same probability 
by setting k Xl = {k a ) r 'k s \{k x ^ = {k a ) r2 4 S2y } l i=1 ,P = k b ,D { = (T) ri (k b ) Sl , {D 2 ,i = (T) r ^(k b ) S2y } j =1 where 
k a ,k b ,T are given in Assumption 3 and r\ , s\. {^ 2 , 7 ,S 2 ,i}j=i are random exponents in 7L p . The simulated val¬ 
ues arc correctly distributed since there exists one-to-one correspondence between {r \..sq . {d?./}, {.V 2 ./ }} and 
{xi,{x 2 ,i},d u {d 2 ,i}}. 

Simulator. Suppose there exists an adversary A that distinguishes between Gj k and G|./ ( with a non- 
negligible advantage. A simulator £>3 that breaks Assumption 3-A using A is given: a challenge tuple 

D = ((p,G,G,Gr,e),kAA Xl ik* 2 ' 1 ,■ ■ ■ ik* 2,1 A y ) and T = (Dj,... ,£> 2 ,;) where T = Tq = (D^,...,D < 2 1 ) = 
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(k Xiy ,k X2 ’ iy ,... ,k X2jy ) or T = T\ = (D\,... ,D\ t ) = (k dl ,k diy ,... ,k dl ’ 1 ). Then £>3 that interacts with A is 
described as follows: S 3 first chooses random exponents V, 0 i, 0 2 ,a £Z p and random blinding values 
yg-A'h, {>’«,}/= 1 ;}’w € Z p . It implicitly sets z = fa + V0 2 and sets g = k y s,g = k y ^h = k yh ,h = k yh ,{ui = 
k y "‘, Lij = k y "< , w = k y ". It creates the public parameters as 

PP= {g-,g v ,g~\ h,h\h-\ {ui,uj,u^y i=l , w^,w^,w,Q. = e(g,g) a ) 


and the master key as MK = (g,g a ,h. {w;}j =1 )■ Additionally, it sets / = k. f = k for the semi-functional 

ciphertext and private key. Let A (ID) = yi, + £ •"_, y Ui /, where ID = (I\, _ A adaptively requests a 

private key for ID = . ,I m ). If this is a j-th private key query, then S 3 handles this query as follows: 


• Case j < k : It creates a semi-functional private key by calling KeyGenSF-2 since it knows the master 
key and the tuple (/~ v ,/, 1 ) for the semi-functional private key. 

• Case j = k : It first selects random exponents ri,ci,c 2 , {c 3 ,,}j =m+ 1 ,s*,i € Z p . It implicitly sets Zk, 1 = 

xi, {zk.i.i = | \ and creates the decryption and delegation components of a private key as 


K l y=g a (hflui) r yw* 1 ) Cl (k }Cl )- VSk ’ 1 , K L2 = {w* 2 ) Cl (k Xl ) Sk ’ 1 , Kg 3 = w c 


i= 1 


K 2 ,i=g n {w^) C 2 k~ ySk A K22 = (w^-) C 2 k Sk A K 2 g = w C2 , 

{L 3M = u r I(w^) Cy y^)- VSk A L 3 ,/, 2 = (w* 2 ) Cyi {k X2 ’') Sk A La,/,3 = W C3 -' 

Next, it selects random exponents r 2 , 04 , 05 , {c 6,/}; =m+1 € Z p . It implicitly sets s * j2 
randomization components of a private key as 


V 

J 1 

= y and creates the 


m 


V 


i?12 = (w^) C 4 Di, i?l,3=W C4 , 


i=l 

R2A = p(w«T(kT v , Rig = (w^-) C5 P, r 2 ,3 = w c y 

{R 3ja = u ry (w^'(D2g)-\ R 3 ,i,2 = (w^) C6 -D 2 ,i, Ry,3=ti C6 ’ i } l i=m+l 


• Case j > k : It creates a normal private key by calling KeyGen since it knows the master key. 

In the challenge step, A submits two challenge hierarchical identities ID * 0 = (7q j , - - - ,/q ra ),/D* = (I\ l5 ... ,/*„) 
and two messages £>3 flips a random coin y e {0, 1 } internally. It creates a semi-functional chal¬ 

lenge ciphertext by calling EncryptSF on the message My and the hierarchical identity ID* since it knows 
the tuple (l,/,/”^ 2 ) for the semi-functional ciphertext. Finally, A outputs a guess /. If y = /, £>3 outputs 
0. Otherwise, it outputs 1. 

Analysis. We first show that the distribution of the simulation using D. To = (D i) l .... ,D® /) is the same 
as g; k . It is easy to check that the private key components are correctly distributed except the randomiza¬ 
tion components of the k-th private key. If we implicitly set Zk, 1 = M ■ {zk, 2 ,i = xij }\ =m + 1 ; s k, 2 = y, then the 
randomization components of the /c-th private key have the same distribution as G, k . We next show that the 
distribution of the simulation using D, T\ = (D J .... .D\ y is the same as Gy*. We only consider the distri¬ 
bution of the randomization components of the £-th private key since T is only used in the randomization 
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components of the £-th private key. If we implicitly set Sk ,2 = >’, Zk, 3 = d\/y, {zkA.i = d 2 ,i/y}\ =m+ \> then the 
randomization components are correctly distributed as 

m 

Y[u I iY 2 (w* i ) c *(k- v y d '/y = (h 

i— 1 i— 1 i— 1 

! = Mp(w^ 1 ) C6 > i (/“ V )^ 4 ’ i = U?{w ( l ,l ) C6 ’ i (k- y ) y - d *' i/y = llf{w >l,l ) C 6 ' i (D l 2i )~ V ■ 

Ql 

From the above analysis, we can obtain Pr[B 3 (D, 7o) = 0] — 1/2 = Adv^ 1 ’* and Pr[B 3 (D, T\) = 0] — 1 /2 = 
Adv^ 1 *. Thus, we can easily derive the advantage of £>3 as 

Adv^(A) = \Pr[B 3 (D,T 0 ) =0]-Pt[B 3 (A7i) = 0]| = |AdvJ t -AdvJ*|. 

This completes our proof. 




r ia = = (,h 


5.4 Proof of Lemma [3T5] (Indistinguishability of G 2 and G 3 ) 


In this proof, private keys and the challenge ciphertext are semi-functional type-2 and semi-functional re¬ 
spectively, but a session key should be correct or random depending on the T value of the given assumption. 
The main idea of this proof is to enforce a simulator to solve the Computational Diffie-Hellman (CDH) prob¬ 
lem in order to create the normal types of private keys and ciphertexts. However, the simulator can generate 
the semi-functional types of private keys and ciphertexts since an additional random value in semi-functional 
types enables the cancellation of the CDH value. 

Simulator. Suppose there exists an adversary A that distinguishes between G 2 and G 3 with a non- 
negligible advantage. A simulator £>4 that breaks Assumption 4 using A is given: a challenge tuple D = 
((p,G,G,Gr,e),k,k a ,k b ,k c ,k,P ,k b ,k c ) and T where T = Tq = e(k,k) abc or T = T\ = e(k,k) d . Then £>4 that 
interacts with A is described as follows: £>4 first chooses random exponents pi. p 2 G 7L p and random blinding 
values y g ,y h , {y Hi }| =1 ,y w € Z p . It sets g = k y *, h = k yh , {w; = k y “> }‘ i=v g = P g , h = P h , {«,• = k y “‘ }\ =x , w = k y "\ 
It implicitly sets v = a, z = pi + a(f> 2 ,a = ab and creates the public parameters as 

g, g v = (k a ) y *, g~ z =*->«*(Jfc 0 )-***, h, h v = {k a ) y \ h~ z = k~ yh<t,l {k a )- yh,h , 

{u h uj = {k a ) y “i, ur* =k- y “i+ 1 {k a )- y “‘* 2 } l . =v w^,w^ 2 ,w, a = e{k a ,k b ) y l 

A A 

Additionally, it sets / = £,/ = £ for the semi-functional ciphertext and private key. Let A (ID) = y/, + 

YZiyuJi where ID = (I\ _ A adaptively requests a private key for ID = (7| . To response 

the private key query, B 4 first selects random exponents n,ci,C 2 ,{c 3 > /}| =m+ 1 ,^ ) i,z^ 1 ,{z* ) 2, i -}- =m+1 G Z p . 
It implicitly sets Zk, 1 = by g /sk. 1 + z! k x and creates the decryption and delegation components of a semi¬ 
functional private key as 


III 

k ia = (hYl^yyw^yyty 5 ^, k X2 = (w^yypy^ 11 ^, k X3 = w ci , 


(=1 


K 2 P =g r '{w^y-(k a y Sk y k 2P = (w^y^y k 2P = w C2 , 

{L VP = u r P{w^y 2 yty s ^y l Xl2 = l 3A3 = w c ^} 1 . 


Next, it selects random exponents r 2 ,C 4 ,C 5 , {ce,i} l i=m+ i,Sk, 2 ,Zk, 3 , {zkA,i}\ =m +\ G Z p and creates the random¬ 
ization components of a semi-functional private key. In the challenge step, A submits two challenge hierar¬ 
chical identities ID * 0 = (//],... ,/q n ),ID\ = (/* j ,... ,/*„) and two messages A//. M\. B 4 flips a random coin 
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Y£ {0,1} internally and chooses random exponents s' c ,z' c € Z p . It implicitly sets t = c, s c = —acy g +s' c , z c = 
—acA(ID*)/s c + z' c /s c and creates the semi-functional ciphertext as 

c = -m;, Ci,! = ( k c y *, c u = *4, c u = (F)-^at^, 

C 2 ,1 = (k c ) A{ID r\ C 2 ,2 = k z ' c , C 2 ,3 = (F)" H ID r)<hk-^c_ 

Finally, A outputs a guess /. If y = /, £>4 outputs 0. Otherwise, it outputs 1. 

Analysis. We first show that the distribution of the simulation using D. Tq = e(k.k) abc is the same as G 2 . 
The public parameters are correctly distributed since the random blinding values y g ,yh, {>’«, } O’w are used. 
The semi-functional private key is correctly distributed as 


*i,t= 

1=1 

m 

=(h n $y i (^ 0i r • 

i—\ 


rn 

P^ihW^Y 1 (w* l ) ci (k- a y k ’ v(by ^ Sk ’ 1+ ^ 1 ) 


(=1 


Note that it can only create a semi-functional private key since Zk, 1 = by g /s k , 1 +z' k , enables the cancellation 
of F*. The semi-functional challenge ciphertext is correctly distributed as 

C = e(g,g) at M* y = e(k y s,k yg ) abc M* = (T)^M* y , 

Ci,i=g f = (F*) c = (F )7 

Ci, 2 = (g v )7 ic = {k y s a ) c k~ acy z +s c = Fs 

C 13 = (g-Jtf-fcyc = = (F ) - ^ 1 k~^- s ' c , 

C 21 = (Ann ?'') 1 = (F* n^) c = (F) A(/D P, 

i=l i=l 

c 2 , 2 == (* y * o nF«'^) c F e(-acA ( /z, r)/ ,e+ ^/ ac ) =Fs 

1=1 i=i 

c 2 , 3 = 

i= 1 

n 

— (j i -yh{^+a<h)YYk~ yui ^ l+a ^ I y’ i ) c {k~ , ^) Sc ^~ acA ^ ID *y > ^ c+ ^ c ^ c ' > = (k c )~ A ^ ID *y>^k~^ c . 

i=1 


Note that it can create a semi-functional ciphertext since .sy, z c enable the cancellation of k ac . We next show 
that the distribution of the simulation using D,T\ = e(k,k) d is the same as G3. It is obvious that C is a 
random element since T[ = e(k.k) d . From the above analysis, we obtain Pr[£> 4 (D,7o) = 0] — 1/2 = Adv'/ 
and Pr[£> 4 (D. T\ ) = 0] — 1/2 = Advy'/ . Thus, we can easily derive the advantage of B 4 as 

Ad<(A) = |Pr[B 4 (D,r 0 ) = 0] -Pr[B 4 (Z),7i) =0]| = |AdvJ -AdvJ|. 


This completes our proof. 


5.5 Proof of Lemma I3T61 (Indistinsuishabilitv of G 3 and G 4 ) 

In this proof, private keys and the challenge ciphertext are semi-functional type-2 and semi-functional re¬ 
spectively, and the elements of the challenge ciphertext should be well-formed or random depending on 
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the T value of the given assumption. The idea to generate semi-functional type-2 private keys and semi¬ 
functional ciphertexts is similar to Lemma 13.51 but it uses a different assumption. To prove anonymity, 
the simulator embeds the T value of the assumption into the all elements of the challenge ciphertext that 
contains an identity. 

Simulator. Suppose there exists an adversary A that distinguishes between G 3 and G 4 with a non- 
negligible advantage. A simulator B 5 that breaks Assumption 5 using A is given: a challenge tuple D = 
((p,G,G,Gr,e),k,k a ,k b ,k c ,k ab ,k a ~ b ,k,k a ,k b ) and T where T = Tq = k abc or T = T\ = k d . Then £>5 that 
interacts with A is described as follows: £>5 first chooses random exponents <j)i,<jh,a £Z p and random 
blinding values y g ,y h , {y H; }j = 1 ,y w G %p- It sets g = k y *,h = (*«*)» {«,- = {k ab ) y “> }| =1 ,| = = P",g a = 

k y " a . It implicitly sets v = a, z = + a(j >2 and publishes the public parameters as 

g, g v = 0 k a ) y «, g- % =k~ y ^ l (k a )- y ^, h, h v = (k alb y\ h~ T = (k ab )- y ^ l (k a2b )- yi ^-, 

{u h uj = (k a 2 b ) y "i,ur* = (k ab )- yi ‘-+ 1 (k a 2 b )- y “i* 2 } l . =v w^,w* 2 ,w, Q. = e(k,k)^ a . 


It also implicitly sets h = (k ab ) yh , {«,• = ( k ab ) y “i } for the master key, but it cannot create these values since k° b 

/V •*> . 

is not given. Additionally, it sets / = £,/ = £ for the semi-functional ciphertext and private key. Let A (ID) = 

}’h +L“ 1 y u Ji where ID = (/|,... A adaptively requests a private key for ID = (I\. _/„,). To response 

the private key query, B 5 first selects random exponents r, .c, ,c 2 . A.i ; 4.i • { 4 . 2 .,iLm -1 G [l 

implicitly sets zu = bA(ID)r\fsk.\ + 4, • {zk, 2 ,i = by Ui r\/sk,i + 4.2. ( iLm - 1 and creates the decryption and 
delegation components of a semi-functional private key as 


K l: 1 = g“(w 0, ) Cl (P)"^ 1 <L K \2 = {w^Y 1 (k b ) A{ID]rl k Sk ’'v, K h 3 = w c \ 

K 2 A =g r '(w+') C 2 (,k a r Sk y K 2 , 2 = (w^) C 2 k s ^, K 2 ^=w c \ 


{l w = L 3 ,i,2 = {w^yPy-Ak 5 ^, l w = w c ^} 1 . =i 


ra +1 ’ 


Next, it selects random exponents r 2 ,c 4 ,c 5 ,{c 6 ,,}| =m+ 1 , 5 j t) 2 ,z^ 3 ,{ 4 , 4 /}/=m+i e and creates the random¬ 
ization components of a semi-functional private key by implicitly setting Zk ,3 = bA{ID)r 2 / Sk ,2 +4 3 ’ fe, 4 ,/ = 
by Ui r 2 / s k ,2 +z'k 4 i\ L/h+ 1 • Wc omit the detailed description of these, since these are similar to the decryp¬ 
tion and delegation components except that R\\ does not have g a . In the challenge step, A submits two 


challenge hierarchical identities IDq 


= (4* 1 , • ■ •, y ) n )JD* = (I* j,..., I* n ) and two messages M* ,M*. B 5 


0,1> ’ ‘' > 0,n 

flips a random coin y E { 0 , 1 } internally and chooses random exponents 5 


0 ’ 1 ■ 

s c ,z c € 'I'p- It implicitly sets 


j 


t = c, s c = — acy g + s ' c , z c = —a 2 bcA(ID*)/s c + abcz! c /s c and creates the semi-functional ciphertext as 


C = Q S -M*, Ci,i = ( k c ) y A Ci, 2 = (k a /‘, C 1)3 = (k c )~ y ^k~^, 
C 2 , 1 = (T) AiID r\ C 2 2 = (r)-, C 2 ,3 = (T)~A id \)^ . 


Finally, A outputs a guess /. If y = y\ B 5 outputs 0. Otherwise, it outputs 1. 

Analysis. We first show that the distribution of the simulation using D,T 0 = k abc is the same as G 3 . The 
public parameters are correctly distributed since the random blinding values are used. The semi-functional 
private key is correctly distributed as 

m 

1 = g a (hWul) n (w^Y 1 (/” v )AiAi = |«(p fc ) A (®) r i (vi)^) Cl (j c - a ytA b W D ) r i/ s w +z *,i) 
i= 1 

= g a (w* t {k a y Sk ^A 
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K 2 ,i =g ri (w* 1 ) C2 (f- v ) s *' 1 = g n (w^) C2 {k a )~ Sk \ 

L 3 . J = M- 1 (H’^) C3 ’ i (/ _V )' Si '’ 1 Z,t ’ 2 ’ i = {k a ^y u i ri (w ^ 1 ) C3 ’' (k a )~ Sk ’ 1 (b y “i ri / Sk ’ l +~k, 2 ,i) 

= (w^(k a )- Sk ’<^. 


Note that it can only create a semi-functional type-2 private key since Zk,i,{zk,2,i},Zk,3,{zk,4,i} enable the 
cancellation of k ah . The semi-functional challenge ciphertext is correctly distributed as 

Ci,i=g , = (^) c = (W 

Cl ,2 = (g v Yf c = {k yga ) c k~ acyg+ ^ = k s Y 

Cj 3 = (g-^y (f-^ 2 ) Sc = (k~y*(0i+ a ^)) c k _ 02(- ac %+4) = (k c )~ ys ^' kr^ c , 

C 2 ,1 = (hflufj = (k ab ) A{ID r )c = {To) AiID r\ 

i=l 

11 

C 22 = = ((it a *) A ^ D ^) aC it Sc ( _a ' bcA ( ID y)/ Sc+abc i/ Sc ) = (ToY c , 

i= 1 


C 2 ,3 


72 .* 

(An«- )" W Cr fc )* A = 2 bcA(ID*)/s c +abcp c /s c ) 

i= 1 

(r 0 )- A ( /D r)^(r 0 )-^. 


Note that it can only create a semi-functional ciphertext since s c . z c enable the cancellation of k ,rhc . We 
next show that the distribution of the simulation using D, T\ = k d is the same as G 4 . We only consider 
C 2 ,i,C 2l 2 5 ^ 2,3 components of the semi-functional challenge ciphertext since T is used for these components. 
If we implicitly sets P = k Alin 'k d,/c and z c = —adA(ID*)/s c + dz'Js c , then the semi-functional challenge 
ciphertext is correctly distributed as 

C 2 \ =P C = (k A ^ ID V> d l c ) c = (ri) A(/D r), 

C 22 =p vc f s cZc — (j^{ID*)d/c\ac^ c {-ad^ID*)/s c +d7! c /s c ) _ , 

3 —p-vcff-tyiycZc — ^A(/D*)d/c\-((/>i+a(/i2)c^ ; -(fci c (-adA(/D*)/i c +(i4Ac) 

= {T\ J~ A ( /D y)0i (T\ )^ z ' c< ^ 2 . 


From the above analysis, we obtain Pr \B$ (D, Tq) = 0] — 1 /2 = AdvJ and Pi B=,(D. T\) = 0] — I /2 = Adv^j 4 . 
Thus, we can easily derive the advantage of £>5 as 

Advg(A) = |Pr[S 5 (D, To) = 0] - Pr[S 5 (D, 7i)=0]| = |AdvJ - AdvJ|. 

This completes our proof. 


6 Generic Group Model 

In this section, we prove that the new assumption of this paper is secure under the generic group model. The 
generic group model was introduced by Shoup |j43l , and it is a tool for analyzing generic algorithms that 
work independently of the group representation. In the generic group model, an adversary is given a random 
encoding of a group element or an arbitrary index of a group element instead of the actual representation 
of a group element. Thus, the adversary performs group operations thro ugh oracles that are provided by a 
simulator, and the adversary only can check the equality of group elements. The detailed explanation of the 
generic group model is given in 1711281. 
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6.1 Master Theorem 


To analyze the new assumption of this paper, we slightly modify the master theorem of Katz et al. f28ll 
since the new assumption is defined over asymmetric bilinear groups of prime order. Let G.G.Gj be 
asymmetric bilinear groups of prime order p. The bilinear map is defined as e : G x G —> G 7. In the generic 
group model, a random group element of G, G, Gj is represented as a random variable P,. Q,.Pi respectively 
where p. Qi.R, are chosen uniformly in Z p . We say that a random variable has degree t if the maximum 
degree of any variable is t. The generalized definition of dependence and independence is given as follows: 

Definition 6.1. LetP = {Pi,.... P„}, 7o, Pi be random variables over G where 7o A Pi, let Q = {<2i, • ■ •, Q w j 
be random variables over G, and let R = {R 1,.... R v } be random variables over Gj- Let 1 = m ax { u . w, v}. 
We say that f, is dependent on P if there exists constants CK, {/3, } such that 

aT b = Y j prPi 

1=1 

where a/0. We say that T b is independent of P if T b is not dependent on P. We say that {e(T b ,Qi)}j is 
dependent on P LJ Q LJ R if there exist constants {a, }, {(f j }, {y-} such that 

W U W V 

L Od • e(T b ,Qi) = £ £ Pu • < p uQi) + I > R i 

i= 1 i= 1 j= 1 i=l 

where OCj f 0 for at least one i. We say that {e(T b , Qi)}i is independent of P U QUR if {e(T b ,Qi)}i is not 
dependent on PL)QUR. 

We can obtain the following theorem by using the above dependence and independence of random 
variables. 

Theorem 6.2. Let P = {Pi,... ,P„}, P 0 , Pi be random variables over G where T b fT \, let Q = {Q \,..., Q w } 
be random variables over G, and let R = {R 1,... ,P,,} be random variables over G7-. Let 1 = max [u. vv, v}. 
Consider the following experiment in the generic group model: 

An algorithm is given P = {Pi,... ,P„}, Q = {Q \,..., Q w }, and R = {Pi,... ,P V }. A random 
bit b is chosen, and the adversary is given T b . The algorithm outputs a bit b', and succeeds if 
1/ = b. The algorithm’s advantage is the absolute value of the difference between its success 
probability and 1 /2. 

If P/, is independent of P for all b € {0,1}, and {e(T b ,Qj)}j is independent of P U QUR for all b € {0,1}, 
then any algorithm A issuing at most q instructions has an advantage at most 3(7/ + 2l)~t/p. 

Proof The proof consists of a sequence of games. The first game will be the original experiment that is 
described in the theorem and the last game will be a game that the algorithm has no advantage. We define 
the games as follows: 

Game Gi. This game is the original game. In this game, the simulator instantiates each of random variables 
P,Q,R,T b by choosing random values for each of the formal variables. Then it gives the handles of 
P,Q,R,T b to the algorithm A. Next, A requests a sequence of multiplication, exponentiation, and 
pairing instructions, and is given the handles of results. Finally, A outputs a bit b'. 
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Game G2. We slightly modify Gi into a new game G2. In this game, the simulator never concretely in¬ 
stantiates the formal variables. Instead it keeps the formal polynomials themselves. Additionally, the 
simulator gives identical handles for two elements only if these elements are equal as formal polyno¬ 
mials in each of their components. That is, the simulator of this game assigns different handles for X 
and Y since these are different polynomials. Note that the simulator of Gi assigned the same handle 
for X = (Xi,... ,X n ) and Y = (Fi,..., Y n ) if X, = Y t for ah i. 


To prove the theorem, we will show that the statistical distance between two games Gi and G 2 is negli¬ 
gible and the advantage of the algorithm in G 2 is zero. Then the advantage of the algorithm in the original 
game is bounded by the statistical distance between two games. 

We first show that the statistical distance between two games Gi and G 2 is negligible. The only differ¬ 
ence between two games is the case that two different formal polynomials take the same value by concrete 
instantiation. The probability of this event is at most t/p from the Schwartz-Zippel Lemma ROl . If we 
consider all pairs of elements produced by the algorithm A, the statistical distance between two games is at 
most 3(q + 2l) 2 t/p since A can request at most q instructions, the maximum size of handles in each group 
is at most q + 21, and there are three different groups. 

We next show that the advantage of the algorithm in G 2 is zero. In this game, the algorithm A only 
can distinguish whether it is given To or T\ if it can generate a formal polynomial that is symbolically 
equivalent to some previously generated polynomial for one value of b but not the other. In this case, we have 
oc -T b = £" =1 ft • Pj where a ft 0 , or else we have XX1 a t ■ e{T b ,Qi) = £“ = t Lj=i Pij ' e ( p h Qj) + E/=t Vi ' R i 
where a, / 0 for at least one i (otherwise, symbolic equality would hold for both value of b). However, the 
above equations are contradict to the independence assumptions of the theorem. Therefore, the advantage 
of A in this game is zero. □ 


6.2 Analysis of Asymmetric 3-Party Diffie-Hellman 

To apply the master theorem of the previous section, we only need to show the independence of 7b, T\ random 
variables. Using the notation of previous section, Assumption 5 (Asymmetric 3-Party Diffie-Hellman) can 
be written as 


P = {\,A,B,C,AB,A 2 B}, Q = {\,A,B}, R = {1}, To = ABC, 7) = D. 

At first, we show the independence of T\ . It is trivial that 7) is independent of P since a random variable 
D does not exist in P. It is easy to show that {e(T\. Qj) }, is independent of P IJ Q U R since 7) contains a 
random variable D that does not exist in P. Q.R. Next, we show the independence of To. It is easy to show 
that To is independent of P since the random variables with degree 3 are different. To show the independence 
of { e(To, Qi)}i, we can derive the sets of random variables as 

{e(To,Qj)}j = {ABC , A 2 BC ,AB 2 C}, 

{e(Pi,Qj)}ij = {1 ,A,B,C,AB,A 2 B,A 2 ,AC,A 3 B,B 2 ,BC,AB 2 ,A 2 B 2 }, 

W = {1}- 

The random variables of {e(To,Qi)}i always contain C and the degree of these random variables is greater 
than 3. However, the random variables of {e(P/, Q/)}/j that contain C have the degree at most 2. Thus 
{e(To, Qi)}i is independent of P U Q U7?. 
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7 Conclusion 


In this paper, we proposed an efficient anonymous HIBE scheme with short ciphertexts and proved its full 
model security under static assumptions. Though our construction is based on the IBE scheme of Lewko and 
Waters l33ll . it was not trivial to construct an anonymous HIBE scheme, since the randomization components 
of private keys cause a problem in the security proof of dual system encryption. We leave it as an interesting 
problem to construct a fully secure and anonymous HIBE scheme with short ciphertexts under standard 
assumptions. 
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